Escaping values for SQL
Contents
If your code needs to generate straight SQL calls, you will need to be able to process data that contains double-quote ” and single-quote ‘ characters, which have special meanings in SQL.
We supply the conn:quote{}
function to handle this requirement.
Note: The conn:quote{}
function and the sqlescape module quote all returned strings, so you must not add quotes around strings in SQL query text.
How It Works
Simply call conn:quote{}
to perform the specific database quoting required:
The conn:quote{}
function quotes all returned strings, so you must not add quotes around strings in SQL query text.
Doing so will produce an error as shown:
Adding quotes without escaping worked (above) for “Smith”, but it fails (below) for “O’Toole” because the apostrophe is not escaped:
Sample Code
Copy the Escape a SQL query string code sample from our repository.
What’s Next?
We showed you how to escape strings that you use for SQL queries. We strongly recommend that you use the conn:quote{}
function, rather than the legacy sqlescape module.
For more information on working with databases see the following pages: